Dear Zoho Customer,
Let me first acknowledge the obvious. The last several hours have been a nightmare for some of you since you have not been able to access the Zoho services you trust and rely on, to run your business. The zoho.com domain was inaccessible for many customers. Rapid corrective action has been possible for many customers to restore service availability but has not worked for some others.
Before I offer explanations, let me offer you my genuine apology. I run Zoho and as a business owner and CEO can fully understand what it means to not be able to access the software and services that keep your businesses on track and serve your customers. For this, I am truly sorry. I have been at the helm of this situation since it broke many hours ago and will continue to be here until everything is fully resolved.
Here’s what happened. Our domain name registrar blacklisted (shut down) our domain. (Registrars are independent organizations that manage the reservation of internet domain names. The registrar does not host any Zoho site, they simply register the zoho.com domain name.) The blacklist lasted about an hour before it was restored. This means any incoming services request to Zoho.com cannot get resolved into the proper IP address that can deliver the services (although the service is still up at the specific IP address). The shutdown impacted some, but not all, customers who tried to use any Zoho service. Unfortunately, domain names still remain a single point of failure in the system.
The shutdown was done by an automatic algorithm in response to phishing complaints against Zoho. (Phishing is a fraudulent attempt by a malicious third party to impersonate a legitimate email address for nefarious activity, like fake invoicing). Phishing has successfully targeted all major email services providers around the globe. Phishing is rampant and mail services providers like Zoho have devised multiple methods to combat it like blacklisting, flagging suspicious emails, scanning, smart filters, and other methods. According to Symantec, 76% of all organizations have reported falling victim to phishing attacks in 2017.
In this case, the registrar received 3 phishing complaints over the last two months (from recipients of third parties phishing messages impersonating Zoho mail), 2 of which were addressed immediately and 1 was under investigation. To put these numbers into context, just one security service company blocked 51 million phishing attempts in 2017.
Somehow this automated algorithm decided to shut down the Zoho domain based on these 3 cases—without prior warning of the shutdown, or investigation into the traffic supported by this domain.
Let me also be clear that there was no cyber attack on Zoho.
What have we done so far?
The registrar restored our name service (DNS) within an hour, but new names (including more than 100 Zoho subdomains, like projects.zoho.com, that have been impacted) take anywhere from 24 to 48 hours to propagate to DNS servers around the globe and reach your business. This is an exceedingly frustrating wait for all of us. We have also migrated to a new registrar (Cloudflare) already.
Until then we have shared multiple workarounds on our @zoho handle on Twitter (and other Zoho social media sites). Many internet service providers are slow to update their domain name resolution servers (DNS servers) but Google and Cloudflare provide fast-updating DNS servers, and those already have the restored Zoho.com name servers cached in them. This is the essence of the workarounds. We have explained how to use them on various operating platforms like Windows, MacOS, Linux, Android, and iOS. These work for many impacted customers, but perhaps not for all. We will continue to explore and post others. In any event, DNS server updates will automatically happen across the globe, making services accessible.
What can you do?
Watch our posts on the @zoho Twitter handle.
If you still face issues, see if any of the workarounds posted under the Zoho handle work for your business
Write to us at firstname.lastname@example.org. We will instantly monitor and respond to all requests to this line.
What are we doing long term?
You have my assurance that nothing like this will ever happen again. We will not let our fate be determined by the automated algorithms of others. We will be a domain registrar ourselves.
I thank you for your support and I will be here until you do not need me anymore.